Beginner's Guide for WordPress / Start your WordPress Blog in minutes

What, Why, and Hows of WordPress Security Keys

If you are using WordPress and did a little reading about WordPress Security, then you should have seen a mention of WordPress Security Keys (Secret Keys). In this article, we will explain the what, why, and hows of WordPress Security Keys for WordPress Beginners.

What are WordPress Security Keys?

WordPress Security Keys is a set of random variables that improve encryption of information stored in the user’s cookies. There are a total of four security keys: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY

Why use WordPress Security Keys?

These security keys makes it harder to crack your password. A non-encrypted password like “username” or “wordpress” can be easily broken, but a random, unpredictable, encrypted password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination. You should use WordPress Security keys to increase security of your WordPress powered blogs or websites.

How to use WordPress Security Keys on my site?

Self-hosted WordPress blogs does not have the Security Keys defined. You would need to add these yourself. It is a very simple and easy process, that you should be able to do as long as you know how to use FTP.

First, you would need to get your own unique Secret Key. WordPress has a random generator that can give you these secret keys. We recommend that you use that rather than inventing your own.

Second step is to modify your wp-config.php (file). You will find this file located in your WordPress root folder (the same folder where your wp-content and other folders are stored). In your wp-config.php file on line 45, you should see something like this:

WordPress Security Keys - wp-config file

Simply take your security key that we grabbed in step 1 and paste them accordingly in the following lines.

Save your wp-config.php file, and you are done. If you were logged into your WordPress admin panel, then you will be asked to log back in again.

Other Frequently Asked Questions (FAQs)

Do I have to remember my Security Keys?

No, you do not have to remember the security key. You have to paste it once in the wp-config.php file and that is it.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Reader Interactions

22 CommentsLeave a Reply

  1. Hi,

    Will it affect anything besides “extreme” increased security if one has the web browser set to delete all history, temp, cookies etc. every time it is shut down AND if one changes the SALT in wp-config after logging out each time?


  2. Hi,
    I have 2 url product,for 1 this:

    why? how should i fix it? please help me.

    • Hi shanderman,

      Please visit Settings » Permalinks page to make sure that your WordPress site is using SEO friendly URLs.

      After that view your website’s source code and make sure that it is showing the URL format that you like.

      The ugly URL structure will still work in WordPress if you typed it in the browser. However, your product’s canonical URL will be the one you choose on the permalinks settings page. This is the URLs that search engines will follow and index.


  3. I am a beginner to WordPress , i have a doubt how those keys make the WordPress secure ? i want to know the actual role and working of the keys ?

  4. What is the actual benefit of these using the keys in config.php. Can you define how it will work to prevent the hackers?

  5. Hi , i have used this method and can not log onto my site at all. how do i fix it or remove the issues

  6. Just a quick question… Why do you suggest to:

    We recommend that you use that rather than inventing your own.

    Instead of the latter? Have you got some links that dig this approach?
    Thank you in advance!

    • Was just gonna ask “why don’t they just automatically generate these for you?” but you answered it ;)

  7. Appreciate this information and quickly updated my files. My concern is the same as Ricks’ from April in that if my wp-config.php file is hacked then these keys are available to whomever is looking at them correct? But then I thought that if my wp file is hacked and someone other than me is looking at them I am already in trouble…

    Any precaution is better than just hoping for the best though! Thank you for your work and efforts.

  8. Hi
    Thanks for a short and informative post.
    I notice that in your example there are four secret keys.
    There appear to be more secret keys in WordPress 3.0 – can these be added to previous versions of WordPress?

  9. Um, so does this change your admin password or what? I don’t understand what this does? Maybe that’s because I’m not a hacker. But, if this is just stored in your config.php file, wouldn’t it be way easier for a hacker just to hack into your ftp site and nab this security key out of the config file?

    I want my WordPress sites to be more secure, but I just don’t understand what this is preventing?

  10. Nicely said. The directions are pretty easy, but I think the security and safety is understated in the documentation. Thanks for spelling it out and making the web a safer place.

  11. if you develop multiple wordpress sites do you create a security key for each one or use the same one on all of them?

  12. While you’re adt it:
    Why not define the salt constants and save yourself some database queries?!

    It should look like this:

    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');

    This article from Digging into WordPress explains the advantages of this practice.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.